Hello ICA,
The subject of whether it is ethical to use former hackers to evaluate a network’s security is a topic that is often hotly debated. In this article, I will explore the pros and cons of using former hackers in such roles.
Although the practice has been going on for quite some time, the subject of whether or not you should hire reformed hackers as security consultants has been receiving a lot of press lately. This seems to be a very touchy issue, and there are strong opinions on both sides. Being that this issue has been generating so much heat, I wanted to take the opportunity to discuss both sides of the issue.
The subject of whether it is ethical to use former hackers to evaluate a network’s security is a topic that is often hotly debated. In this article, I will explore the pros and cons of using former hackers in such roles.
Although the practice has been going on for quite some time, the subject of whether or not you should hire reformed hackers as security consultants has been receiving a lot of press lately. This seems to be a very touchy issue, and there are strong opinions on both sides. Being that this issue has been generating so much heat, I wanted to take the opportunity to discuss both sides of the issue.
As Myself Mohit – “The Evil Hackerz” (http://theevilhackerz.com/), I also prefer to work as Security Consultants. Because, the passion you have for hacking can also be used in such a way that it will help others, not to harm others. Hacker is good or bad is depends upon his/her way to use knowledge. As i am using my all knowledge to secure people via giving them tips and explaining the hackers mindset through my Project – Indian Cyber Army (http://cyberarmy.in/). This will help people to understand that how hackers can hack them, so that common man can take required security measures as soon as possible before getting screwed.
Before I get started, I want to get a few things out of the way up front. First of all, every time that I write any type of article on hacking, I always gets at least a few E-mails from readers describing my misuse of the word “hacker”. In actuality, the term hacker refers to someone who likes to tinker with hardware or software in an effort to enhance its capabilities. The media and popular culture have twisted the word’s meaning into someone who breaks into computer systems. For the purposes of this article, I will use the word hacker to refer to someone who breaks into computer systems.
Another thing that I want to get out of the way is a little confession. I myself was a grey hat hacker when I started hacking. For a period of time in the late 2008-2009, I was involved in numerous illegal hacks. I was an angry and fun loving teenager at the time, and it just seemed like the thing to do. Now in 2010 however, I came to my senses and decided to go legitimate. I have refrained from illegal hacking ever since. Today, I am the owner of a security community - Indian Cyber Army (http://cyberarmy.in/). One of the services that this community offers is skill development and Security Awareness. Basically, in my free time, I attempt to hack into various websites, systems, networks, but just to test them and after that I inform their administrators that they are not secured, even I also help them to become secure.
The Positive Aspects of Grey Hat Hackers as Security Consultant
OK, now that I’ve got that out of the way, it’s time to get on with my discussion. First, I want to talk about the positive aspects of hiring former hackers as security consultants. The most obvious advantage to hiring former hackers is that they have real world hacking experience. There are some things that you just can’t learn from a book. Books do a good job of explaining basic hacking techniques. However, I can tell you from firsthand experience that every hack is different because every network is different. It’s rare for a hacker to be able to use a single technique to gain full access to a network. Often hackers have to combine multiple techniques or apply techniques in a different way than normal to compensate for various network defences. Only someone with plenty of real world hacking experience can efficiently go from using one technique to another as required by the present situation.
Another positive aspect to hiring reformed hackers as security consultants is that staying up with the latest security exploits and countermeasures is a full time job. In most companies, the IT staffs have an acceptable level of security knowledge, but they must focus most of their attention on the day to day responsibilities of keeping the network up and running. A good security consultant focuses almost solely on security and consequently has a level of security knowledge that goes far beyond that of most other IT professionals.
The Negative Aspects of Grey Hat Hackers as Security Consultant
Now that I have discussed some of the positive aspects to hiring former hackers as security consultants, I want to take some time and discuss the negatives. By far the biggest negative is the question of trust. Think about it for a moment. The main premise of security is deciding who you trust and then locking out everyone else. When you hire a former hacker as a security consultant, you basically trust the sanctity of your network to a former criminal. If you think about it, that’s a lot like letting someone who was convicted of burglary stay in your home when you aren’t there. If you are concerned with your network’s security, it sounds crazy to trust it to a criminal.
As you think about how much you trust a former hacker, you must also consider the impact that a decision to hire the person will have on your customers and shareholders. What would your customers think if they knew that you were using a former criminal to test the security of a database that contains their credit card number?
There have been a lot of times over the last several months when friends have asked me to check out the security of their networks, websites etc. Although I have never been one to turn my back on a friend, I have had to turn a few people down because I just couldn’t fit the job into my schedule. On these occasions, I used to advise my friends to do a background check and a very thorough interview before hiring a former hacker (that they do not personally know) to test their network’s security. Background checks used to work fairly well. However, there have been a lot of cases lately of security consultants telling potential customers that their privacy policy prohibits them from giving out the names of other clients or details of their work. While I can certainly understand the notion of respecting your client’s privacy, a lot of unskilled, wannabe hackers are starting to use privacy policies as a way of hiding their lack of experience. This means that you will have to be extra careful with your background checks.
One other negative aspect to using hackers as security consultants has to do with the way that many security consultants operate in general. I would personally never run my consulting business in this way, but I have been around enough security consultants to know how the game is played.
A security consultant’s job isn’t to secure your network, but rather to make your company completely dependent on them. Security consultants will typically offer you a free evaluation of your network’s security. Once the evaluation is complete, they will show you a report documenting thousands of potential vulnerabilities. They try to make it seem as though it is urgent for you to secure your network. However, they make it clear that your IT staff shouldn’t be trusted to patch the vulnerabilities since they weren’t even aware that the vulnerabilities existed. As a part of the sales pitch, the consultant will discuss some of the more high profile hacks that have been in the media lately. They will compare those hacks to your network. The consultant will probably even tell you how the company that got hacked is teetering on the edge of bankruptcy because they have lost customers and because the hack did so much internal damage.
Once the consultant has convinced you that you have a huge problem, they will offer to fix the problem for a huge fee. Developing the new security policy typically requires dozens of meetings with the IT staff and all of these meetings are billable. Once the new policy has been designed, it will take the consultant weeks to implement it. Again, all of the consultant’s time is billable.
Once the new policy has been implemented, the consultant will probably insist on doing a check up several times a year. The problem is that by now, the consultant probably has their own desk in your office. They know your budget, your spending habits, and what they can say that will make you spend more money. They also know that the new security policy that they have implemented is so complex that no one understands it but them. This means that you are now completely dependent on the consultant for your security needs. If you need to make a change to the security policy, the only way that you will be able to do it is usually by calling the consultant.
Conclusion
I personally believe that hiring former hackers to evaluate your security is worthwhile (if I didn’t believe that I wouldn’t own a security community). At the same time though, I absolutely believe that if you are going to hire a former hacker (or any security consultant for that matter) then you need to take some steps to prevent yourself from getting ripped off and to prevent your company’s security from being exploited. Here are a few things that you can do to keep from being victimized by a security consultant.
Don’t completely outsource your security needs. Completely outsourcing security will cost your company a fortune and is unlikely to make your network any more secure than if you just had your security evaluated by a consultant a few times a year.
Don’t give a security consultant anything that you don’t have to. For example, never give a security consultant the Administrative password. Remember that you are paying the consultant to look for holes in your network. If major security holes exist, the hacker might be able to get administrative access on their own, but you shouldn’t just hand it to them.
Use a variety of consulting firms, and let the consultants know that you will not be using them exclusively. Different consultants have different skill sets and it is likely that one consultant will catch a security problem that another missed. This doesn’t mean that the consultant who missed the problem is incompetent. It just means that the two consultants have different skill sets. Another reason for using multiple consulting firms is that it prevents you from being put in a position in which your company is completely dependent on a specific firm.
Finally, decide how much protection your network really needs. No computer system is ever completely secure, and your company can spend an astronomical amount of money pursuing total security. To avoid spending too much money on security consultants, set realistic goals of what you want the consultant to do for you.
Thankyou for reading this ICA artcile...
Admin,ICA.
No comments:
Post a Comment